Enrichment Sources maintain the information that you can use to enrich your logs. LogPoint currently supports the following type of enrichment sources:
LDAP: You can use the LDAP (Lightweight Directory Access Protocol) enrichment source to enrich logs with the additional information of users extracted from the LDAP server. Refer to the LDAPEnrichmentSource Guide for more details.
GeoIP: You can use the GeoIP enrichment source to enrich logs with the geographical information of a public IP address. Refer to the GEOIP Guide for more details.
CSV: You can use the CSV enrichment source to enrich logs from data present in a Comma Separated Values (CSV) file. Refer to the CSVEnrichmentSource Guide for more details.
IPtoHost: You can use the IPtoHost enrichment source to enrich logs with a reliable hostname. Refer to the Adding IPtoHost as an Enrichment Source section for more details.
ODBC: You can use the ODBC (Open Database Connectivity) enrichment source to look up the data in a database server and enrich the incoming logs. LogPoint supports the PostgreSQL, MSSQL, and MySQL databases. Refer to the Adding ODBC as an Enrichment Source section for more details.
Threat Intelligence: You can use the Threat Intelligence enrichment source to enrich logs with the information gathered from various threat intelligence sources. Refer to the Threat Intelligence Guide For LogPoint for more details.
Enrichment Sources¶
Note
You can see the total Memory Used by all the enrichment sources near the top-left corner of the panel.
Depending on the file size, the enrichment sources may still appear in the list after being deleted. In this case, you need to click Refresh to view the updated list.
Plugins associated with the enrichment sources must be available before adding an enrichment source. For example, to add an ODBC enrichment source, the ODBC plugin must be present in the system.
The total size for the enrichment sources is set to 4 GB.
You can use the IPtoHost enrichment source to retrieve a hostname from an IP Address present in an incoming log. Whenever LogPoint receives a log containing an IP Address, it requests a DNS Server to resolve the IP into a hostname. If the DNS succeeds in resolving the IP Address, the hostname is shown as an enriched field in the log. If not, the log remains as it is.
To add IPtoHost as an enrichment source:
Go to Settings >> Configuration from the navigation bar and click Enrichment Sources.
Click Add.
Select IPtoHost.
Adding IPtoHost as an Enrichment Source¶
Note
If the Use only the private IPs present in the HOMENET list checkbox is enabled, LogPoint enriches only the logs with the IP field name present in the HOMENET list.
Provide a Name.
In the IP Field Name textbox, provide the field name which contains an IP Address.
In the Host Field Name textbox, provide the field name where the hostname should be kept.
Click Save.
Go to Settings >> Configuration from the navigation bar and click Enrichment Sources.
Click Add.
Select the ODBC option.
Provide a Name.
Select a Charset from the drop-down menu.
Select a Driver from the drop-down menu.
Note
If you choose the MSSQL driver, a checkbox for Windows Authentication appears. If you select the checkbox, provide the domain of the Windows machine.
Provide Server and Port of the database server.
Provide a Database name.
Provide Username and Password.
Provide the SQL Query to fetch data.
Note
The Source Fields section is populated once you enter the correct values to all the fields of the Connection Parameters section.
In the Enrichment Options section, select Age Limit and Update Interval. Age Limit is the validation limit of the source data. Likewise, Update Interval defines the interval to read the source data.
Select Type.
Select Update to modify the ODBC connection, or Replace to restore the existing connection.
Enter Increment Key, Increment Key Table, and New Line Separator. These values are required only for the Update type.
Increment Key indicates the value of the primary key field to be created automatically each time a new record is inserted. The Increment Key must always be an integer.
Increment Key Table indicates the table in which the Increment Key belongs to.
New Line Separator indicates the character that separates the values in the database.
Click Save.
Go to Settings >> Configuration from the navigation bar and click Enrichment Sources.
Select the required enrichment source.
Enrichment Source¶
Update the information.
Click Save.
Go to Settings >> Configuration from the navigation bar and click Enrichment Sources.
Click the Delete icon under the Actions column of the source.
Enrichment Sources¶
To delete multiple enrichment sources, select the sources, click the More drop-down menu, and choose Delete Selected.
Deleting selected Enrichment Source¶
To delete all the enrichment sources, click the More drop-down menu, and choose Delete All.
Deleting all Enrichment Sources¶
Click Yes on the delete confirmation dialog box.
